Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create a FREE account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you sign in.
Create an Account Login to Account

Full hard drive - virus? [CLOSED]


  • This topic is locked This topic is locked

#1
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
HI! I'm new to this forum and this is my first post ;)

I'm currently having some problems and I would appreciate any help I can get.
Problem is I suddenly ran out of hard disk space. I had 30 gb free and a few hours after I installed an automatic windows update I got a message saying I had almost no free space on my hard disk. I'm not saying the update had anything to do with it; I have no grounds to think so, but...
I checked and I had only 41 mb left. At the moment I was running Zone Alarm Firewall, Kaspersky anti virus personal pro 5.0.14 and microsoft antispyware (my windows xp has not sp2 installed...).
I already went through the "You must read this before posting..." and I downloaded and ran everything that was listed. I also ran a scan with Kaspersky and checked online antivirus.
I freed some space up and it doesn't seem like it is shrinking or anything (as was the case before...)

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:04:07, on 15/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Logitech\MouseWare\system\em_exec.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
c:\archiv~1\intern~1\iexplore.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Opera75\opera.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.obsdgbhfg...GEjnPYKwDT.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {22626A53-FE28-2595-6298-989DE7D46378} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - blank (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BOOKPOLLGRAMMPEG] C:\Documents and Settings\All Users\Datos de programa\encbuildbookpoll\WIPETRUST.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [humortadela] C:\WINDOWS\System32\svchost.scr
O4 - HKLM\..\Run: [humortadela (1)] C:\WINDOWS\System32\svchost.scr
O4 - HKLM\..\Run: [KAV50] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FlapIdle] C:\DOCUME~1\Gerardo\DATOSD~1\THUNKM~1\blue phone.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Archivos de programa\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &NeoTrace It! - C:\ARCHIV~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Archivos de programa\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {7AD10B4D-6A18-4379-95A6-6BAD7CE7FD01} (Project1.SBC) - http://www.spybounce.../collect/sb.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.datafull....bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Archivos de programa\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I don't use IE anymore, It got infected with some nasty toolbars that I couldn¡t get rid off, so I just keep using Opera as my default broweser instead.



I'm not really sure if I'm missing some important info (hope not :tazz: ), but I'm sure you'll let me know if that's the case.

Well, I think that's it for now...


P.s. If you got here I thank you just for taking the time to read this!! ;)

Edited by Thingol, 15 May 2005 - 09:16 PM.

  • 0

Similar Topics: Full hard drive - virus? [CLOSED]     x


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,583 posts
  • MVP
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.obsdgbhfg...GEjnPYKwDT.html

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {22626A53-FE28-2595-6298-989DE7D46378} - blank (file missing)

O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - blank (file missing)

O4 - HKLM\..\Run: [BOOKPOLLGRAMMPEG] C:\Documents and Settings\All Users\Datos de programa\encbuildbookpoll\WIPETRUST.exe

O4 - HKLM\..\Run: [humortadela] C:\WINDOWS\System32\svchost.scr
O4 - HKLM\..\Run: [humortadela (1)] C:\WINDOWS\System32\svchost.scr

O4 - HKCU\..\Run: [FlapIdle] C:\DOCUME~1\Gerardo\DATOSD~1\THUNKM~1\blue phone.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Archivos de programa\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {7AD10B4D-6A18-4379-95A6-6BAD7CE7FD01} (Project1.SBC) - http://www.spybounce.../collect/sb.ocx

Reboot into safe mode and delete:
C:\Documents and Settings\All Users\Datos de programa\encbuildbookpoll <= entire folder
C:\Documents and Settings\Gerardo\Datos de programa\THUNKM~1 <= foldername abbreviated, but delete the one that holds blue phone.exe
C:\WINDOWS\System32\svchost.scr

Boot back to normal and download, install, and run CleanUp!

Download and unzip to one folder:
http://metallica.gee...com/findlop.zip

Inside the folder find findlop.bat

Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post along with a new HijackThis log.

Regards,
  • 0

#3
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
First of all, thank you for your answer. Now, I couldn't find some of the items listed in the hijackthis log. I'm guessing that that has to do with the fact that I donwloaded and ran a number of antispyware and malware removal since I first posted.
I couldn't find blue phone.exe in the following folder :C:\Documents and Settings\Gerardo\Datos de programa\THUNKM~1 (there were only two or tree files, non of which was bluephone); and I couldn't erease C:\WINDOWS\System32\svchost.scr, because it was being used (I thought of ending the process with ctrl+alt+del, but since I wasn't sure why it was being used i didn't do it). I already ran cleanup! and I donwloaded findlop, here it is:


[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A030A63E918B216E.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\archiv~1\thunkm~1\RULE CHIC NAME.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Gerardo'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/15/2004 3:00:00
NextRun: 05/26/2005 13:00:00
StartError: 0x80070003
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/03/2000
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'AD10EDCC918761D4.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\gerardo\datosd~1\thunkm~1\RULE CHIC NAME.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Gerardo'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/18/2005 1:00:00
NextRun: 05/26/2005 13:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/13/1997
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{5690A12A-C40C-4F58-BDB0-B882D7A13140}_THINGOL_Gerardo.
job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{5690A12A-C40C-4F58-BDB0-B882D7A13140}_THINGOL_Gerardo"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 05/25/2005 16:00:00
NextRun: 05/26/2005 16:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .MTWRF.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 16:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{B5FFF6B7-B198-4F88-B2C0-A7DC2C30E43A}_THINGOL_Gerardo.
job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{B5FFF6B7-B198-4F88-B2C0-A7DC2C30E43A}_THINGOL_Gerardo"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 05/06/2005 16:00:00
NextRun: 05/27/2005 16:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .....F.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 16:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '{CDF65A28-3C63-4648-95DC-68349212A105}_THINGOL_Gerardo.
job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\mobsync.exe'
Parameters: ' /Schedule="{CDF65A28-3C63-4648-95DC-68349212A105}_THINGOL_Gerardo"'
WorkingDirectory: ''
Comment: ''
Creator: 'SyncMgrInternalCreatorName'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 04/07/2005 9:00:00
NextRun: 05/27/2005 9:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: .MTWRF.
StartDate: 01/01/1970
EndDate: 00/00/0000
StartTime: 09:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


-----------------------------------------------------------------------------------------------
Here's my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:40, on 26/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\Logitech\iTouch\iTouch.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Archivos de programa\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Archivos de programa\Logitech\MouseWare\system\em_exec.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\Archivos de programa\Opera75\opera.exe
C:\WINDOWS\system32\notepad.exe
C:\Downloads\Security\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (disabled by BHODemon)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Archivos de programa\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Archivos de programa\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &NeoTrace It! - C:\ARCHIV~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARCHIV~1\MICROS~4\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Archivos de programa\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.datafull....bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Archivos de programa\CPUCooL\CooLSrv.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Well, let me thank you again! I'll be looking forward to your response.
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,583 posts
  • MVP
That Thunkm folder has to go. It's C2Media/LOP spyware.

Copy the part in bold below into notepad and save it as remlop.bat in the same folder as findlop.bat

@echo off
jt /sd A030A63E918B216E.job
jt /sd AD10EDCC918761D4.job
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt


Doubleclick that file and it will remove those two Sceduled tasks.

Now I think that C:\WINDOWS\System32\svchost.scr is a virus.

Surf to http://virusscan.jotti.org/ and upload that file there.
Let me know the results. If I'm right it may be important to know what it does and which AV's detect it.

Your log looks good now, so I think it is disabled. Do NOT doubleclick or otherwise activate that file while searching for it.

Regards,
  • 0

#5
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
Ok, I've done evrything you asked. I ran the remlop.bat file and I scanned that svchost file, here's the result:

File: svchost.exe
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a4750c0ec60195a38c88721c4a5c93aa
Packers detected: -

Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing


I guess it's nothing then... but it's funny, I still don't have those 30gb that I lost that day and I'm running out of options but to think that it may be the hard drive itself (meaning it's a hardware issue). Is this possible??


P.s:
I found something on svchost.exe on http://support.micro...om/?kbid=314056 :

The Svchost.exe file is located in the %SystemRoot%\System32 folder. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Svchost.exe groups are identified in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost
Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:





Thank you again!!

Edited by Thingol, 26 May 2005 - 05:56 PM.

  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,583 posts
  • MVP
Let's get something straight before total confusion sets in. :tazz:

I asked you to scan svchost.scr
That is a completely different file then svchost.exe (which is indeed a legitimate Windows file)

Please read: http://www.logicalti...icle.asp?ID=209
Also see HERE for how to show hidden files.

Let me know the results for svchost.scr

Regards,
  • 0

#7
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
Hi, sorry... you were right, I scanned the wrong file, but it happens that I don't have that svchost.scr file on my computer anymore... perhaps it was fixed by one of the many antivirus I used. I looked for it "manually" and I did a search (including all system and hidden files) and nothing came up. If look at my 2nd HijackThis log you'll see that there is no svchost.scr either.
If I'm doing something wrong or if I'm missing something please let me know.

Thanks for your :tazz:
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,583 posts
  • MVP
You are right. It was probably destroyed by one of the scans.

If I have to guess, I'd say this one: http://securityrespo...l.bancos.x.html

I can't find anywhere where the logs and screenshots it makes are stored exactly.

Can you do a find file for *.log and see if you find a big one (several MB)

Don't do anything with it yet. It may hold information we can use to find more.

Regards,
  • 0

#9
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
Ok, here's the list of the biggest .log files on my computer:


C:\Documents and Settings\All Users\Datos de programa\Microsoft\Dr Watson\drwtsn32.log 29 mb

C:\WINDOWS\system32\nvsvc.log 7mb

C:\WINDOWS\system32\CatRoot2\edb.log 5.120kb
C:\WINDOWS\system32\CatRoot2\edb00002.log 5.120 kb
C:\WINDOWS\system32\CatRoot2\res1.log 5.120 kb
C:\WINDOWS\system32\CatRoot2\res2.log 5.120 kb

C:\WINDOWS\system32\MsDtc\MSDTC.log 4.096 kb


And there are some other, but they're under 4 mb (which already seems small enough). Well, I hope it's of some use.
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,583 posts
  • MVP
None of those are what we are looking for.

Please download install and run Rootkit revealer
http://www.sysintern...kitreveal.shtml

Post the log it makes.

Regards,
  • 0

#11
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
As I was running rootkit scan, microsoft antyspyware alerted me that a windows service was trying to be added. It's name : KBEBM.exe

I blocked it because I didn't know what it was and I wasn't sure it had anything to do with Rootkit. (if it is a valid service required by Rootkit, please tell me and I'll enable it)

Here's the scan:


HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 28/5/2005 12:59 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 28/5/2005 12:59 4 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Gerardo\Configuración local\Archivos temporales de Internet\Content.IE5\01GHQR81\a[1].:KAVICHS 15/5/2005 22:37 36 bytes Hidden from Windows API.
C:\Documents and Settings\Gerardo\Configuración local\Archivos temporales de Internet\Content.IE5\2HF0LWFU\gb.fotolog[1].:KAVICHS 15/5/2005 22:37 36 bytes Hidden from Windows API.
C:\Documents and Settings\Gerardo\Configuración local\Archivos temporales de Internet\Content.IE5\O3F3IS5D\flash[1].:KAVICHS 15/5/2005 22:37 36 bytes Hidden from Windows API.
C:\Documents and Settings\Gerardo\Configuración local\Archivos temporales de Internet\Content.IE5\S3NVEWTL\search[1].:KAVICHS 15/5/2005 22:37 36 bytes Hidden from Windows API.
C:\Documents and Settings\Gerardo\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 28/5/2005 12:41 36 bytes Hidden from Windows API.
C:\Documents and Settings\Gerardo\Configuración local\Datos de programa\Microsoft\Windows\UsrClass.dat:KAVICHS 16/5/2005 1:50 36 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\EventCache\{EE57FDC7-29C1-4C58-A0C3-CFF87BC0EF35}.bin:KAVICHS 14/5/2005 11:31 68 bytes Hidden from Windows API.



Thank you! :tazz:

Edited by Thingol, 28 May 2005 - 11:15 AM.

  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,583 posts
  • MVP
Rootkit Revealer uses random servicenames so I can't be completely sure, but it does add a service. The name is random so rootkits can't anticipate on it.
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • {EE57FDC7-29C1-4C58-A0C3-CFF87BC0EF35}
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,


Regards,
  • 0

#13
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{EE57FDC7-29C1-4C58-A0C3-CFF87BC0EF35}" 28/5/2005 16:58:20

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\Sus]
"CurrentCacheFile"="C:\\WINDOWS\\SoftwareDistribution\\EventCache\\{EE57FDC7-29C1-4C58-A0C3-CFF87BC0EF35}.bin"


Btw I ran Registry Mechanic and it found that kbebm.exe file in the registry as an invalid value. Here's the location C:DOCUME~1\Gerardo\CONFIG~1\Temp\KBEBM.exe

And here's the key name HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache


Registry mechanic advised to delete it. What should I do??


Thanks again!

Edited by Thingol, 28 May 2005 - 02:34 PM.

  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 30,583 posts
  • MVP
Yes you can delete it. Since you blocked the install the key is indeed invalid.

The EventCache looks like a false alarm. It's related to Windows update.

Please use Find Files like this
All files and folders
Advanced
Size > Minimum 100 MB

That will result in a more or less readable list.
Look for enormous files (> 1 GB)
or for a lot of files of exactly the same size that were created around the time you first noticed problems.

Regards,
  • 0

#15
Thingol

Thingol

    Member

  • Member
  • PipPip
  • 12 posts
Here's the only file I found that's mor than 100 mb and I don't know what it is exactly, but I'm guessing it's valid...

c:\pagefile.sys 788.480 kb

There are no more files I don't know that are bigger than 50mb on my hard drive...

Seriously, do you think it may be possible that this is a hardware issue??? If so, how do I make sure of it??


Once again: thank you very much for your help!!
  • 0


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured